HackWatch
! High riskMW Malware

China-Aligned Group Deploys ShadowPad and IOX Proxy in Targeted Espionage Across Asia

Malware coverage focused on infection paths, containment steps and indicators defenders should watch.

Malware activity flagged. Isolate affected systems, preserve logs and block persistence or command-and-control channels before recovery.
China-Aligned Group Deploys ShadowPad and IOX Proxy in Targeted Espionage Across Asia - HackWatch malware alert image
HackWatch malware alert image for: China-Aligned Group Deploys ShadowPad and IOX Proxy in Targeted Espionage Across Asia
Marcin Pocztowski

Infrastructure Security Editor

Marcin Pocztowski

Infrastructure and Vulnerability Response

By: Marcin Pocztowski

Responsible editor: Marcin Pocztowski / Infrastructure and Vulnerability Response

Infrastructure Security Editor: Marcin Pocztowski / Infrastructure and Vulnerability Response

Last reviewed by: Marcin Pocztowski on May 01, 2026

Technical review credentials: Security+ evidence | RHCSA evidence | JNCIS-SEC evidence

Published on HackWatch: May 01, 2026

Source date: May 01, 2026

Last updated: May 01, 2026

Incident status: Active threat

Last verified: May 01, 2026

Corroborating sources: 2

Trust note:This alert is maintained under HackWatch's editorial policy, with visible source records, a named responsible editor and a correction channel for disputed facts.

AI tools may assist HackWatch with initial monitoring and source clustering. The public article is reviewed, fact-checked and edited by a real HackWatch reviewer before publication or material updates. Last human review: May 01, 2026.

Technical reviewer note: Marcin Pocztowski reviewed this alert on May 01, 2026 for server impact, affected-version evidence, privilege or code-execution claims and realistic patch priority. His remediation note follows the same discipline he would use around Juniper routers and production servers: verify scope, preserve useful logs, reduce exposed management access and only then apply the fix or compensating control supported by the 2 corroborating sources.

Review our editorial policy or send corrections to [email protected].

Active threat. The incident should still be treated as active until confirmed mitigation or patch adoption is verified.

A China-aligned threat actor known as SHADOW-EARTH-053 has conducted a multi-stage espionage campaign targeting government and critical infrastructure in eight Asian countries since late 2024, using advanced malware and legitimate system tools to evade detection.

GLOBAL, May 1, 2026, 08:19 UTC

  • SHADOW-EARTH-053 targets government and critical infrastructure in eight Asian countries since December 2024
  • Attack chain employs ShadowPad malware, IOX Proxy backdoor, and Windows Management Instrumentation Command (WMIC)
  • Campaign leverages living-off-the-land techniques to avoid detection and maintain persistence

A China-aligned threat group, tracked as SHADOW-EARTH-053, has been conducting a prolonged espionage campaign against government agencies and critical infrastructure across Asia, cybersecurity researchers reported. Active since at least December 2024, the group has targeted organizations in eight countries using a sophisticated multi-stage attack chain.

The campaign combines the ShadowPad backdoor, IOX Proxy malware, and Windows Management Instrumentation Command (WMIC) — a legitimate Windows tool often abused for stealthy command execution. This blend of custom malware and living-off-the-land tactics allows the attackers to evade traditional security defenses and maintain long-term access.

ShadowPad, a modular backdoor known for its use in espionage, serves as the primary foothold. IOX Proxy acts as a secondary implant facilitating encrypted communications with command-and-control servers. WMIC is leveraged to execute commands and scripts without dropping new binaries, reducing the risk of detection.

The group’s focus on government entities and critical infrastructure underscores the strategic intent behind the campaign. By infiltrating these sectors, SHADOW-EARTH-053 can potentially gather sensitive intelligence and disrupt essential services.

Researchers emphasize the campaign’s stealth and persistence. The attackers employ careful operational security, including encrypted communications and staged payloads, to avoid triggering alerts. The use of legitimate system tools complicates detection efforts by security teams.

This activity aligns with previous patterns attributed to China-aligned espionage groups, though SHADOW-EARTH-053 exhibits unique tooling and targeting. The campaign’s duration and geographic spread suggest a well-resourced operation with ongoing objectives.

Organizations in Asia’s government and infrastructure sectors are advised to review their network logs for signs of WMIC misuse and unusual outbound connections associated with ShadowPad or IOX Proxy. Enhanced monitoring of system tools and network traffic can help detect early indicators.

The risk of data exfiltration and operational disruption remains high as the attackers maintain persistent access. Failure to identify and remediate infections could lead to significant intelligence losses and infrastructure vulnerabilities.

Given the campaign’s complexity, affected organizations should consider incident response engagements with cybersecurity experts specializing in advanced persistent threats. Deploying endpoint detection tools capable of spotting living-off-the-land techniques is critical.

Looking ahead, the evolving tactics of SHADOW-EARTH-053 highlight the need for continuous threat intelligence sharing and proactive defense measures. The group’s use of WMIC and proxy malware may inspire similar campaigns targeting other regions or sectors.

What to Do Now

  • Audit use of WMIC and other native Windows tools for unauthorized activity.
  • Monitor network traffic for connections to known ShadowPad and IOX Proxy command-and-control domains.
  • Apply endpoint detection and response (EDR) solutions with behavior-based detection.
  • Conduct threat hunting exercises focused on living-off-the-land techniques.
  • Engage cybersecurity incident response teams if suspicious activity is detected.

How to Secure Yourself

  • Limit administrative privileges and restrict WMIC usage to trusted personnel.
  • Keep operating systems and security software up to date.
  • Implement network segmentation to contain potential breaches.
  • Use multi-factor authentication to protect critical accounts.
  • Educate staff on phishing and social engineering tactics often used to initiate such attacks.

2026 Update

By mid-2026, SHADOW-EARTH-053 has expanded its toolset, incorporating additional proxy malware variants and refining its use of legitimate system tools to bypass emerging detection technologies. Continued vigilance and adaptive security postures remain essential to counter this evolving threat.

This report draws on multiple corroborating sources, including cybersecuritynews.com, which first detailed the campaign’s technical aspects and targeting scope.

https://cybersecuritynews.com/china-aligned-attackers-use-multi-stage-espionage-campaign/

Sources used for this article

gbhackers.com, cybersecuritynews.com

Related alerts

Recommended next steps

Readers following this malware alerts story usually need both context and action. Use the tools and recovery pages below to verify exposure, secure accounts and document the incident path.

Free Phishing Link Checker and Domain Intelligence Report

The URL checker expands a suspicious link into a practical domain intelligence report with structure, redirects, DNS, TLS, ASN, hosting and registration context.

Open guide

Breach Exposure Checker for Email and Password Reuse Risk

The breach checker turns a suspected exposure into a prioritized action plan covering credential rotation, MFA hardening, account review, fraud monitoring and evidence capture.

Open guide

Ransomware Triage and Decryptor Finder

The ransomware triage workflow helps readers isolate affected systems, document the incident, check for available decryptors and avoid panic-driven mistakes during the first response window.

Open guide

Incident Report Intake

The incident intake form helps HackWatch collect early reader signals so new phishing and fraud clusters can be reviewed faster and escalated into coverage.

Open guide

Malware alerts

Explore the dedicated category archive to review similar incidents, compare tactics and find additional response coverage tied to this incident type.

Open category archive
Marcin Pocztowski

Real reviewer profile

Marcin Pocztowski

Infrastructure Security Editor at HackWatch.io

Open reviewer profile

Marcin Pocztowski is the owner of MMPS and an infrastructure security editor for HackWatch. His public technical record spans 20 years, from Security+ evidence dated January 2006 through Juniper, Cisco and RHCSA records, and he reviews server, network and vulnerability-response coverage for source accuracy and practical remediation.

Infrastructure Security Editor: technical-density, source-existence and remediation-logic review for infrastructure and vulnerability coverage.

Coverage focus: Server and network hardening, vulnerability response, patch prioritization and infrastructure security review

Editorial disclosure: This profile is tied to Marcin's LinkedIn, X profile and source-backed editorial work on HackWatch. Historical certificates are treated as background evidence only, not as current active credentials.

Marcin leads this malware alerts coverage lane at HackWatch. This article is maintained as part of the ongoing editorial watch around "China-Aligned Group Deploys ShadowPad and IOX Proxy in Targeted Espionage Across Asia".

Technical review: Security+ evidence | RHCSA evidence | JNCIS-SEC evidence

Server and network infrastructure administrationKnown exploited vulnerabilities and patch prioritizationCVSS v4.0 and CISA KEV triage